Wednesday, May 21, 2014

Embedding Google Doc without left hand thumbnail/preview page view

I use Google Doc viewer with a number of clients and now Google seems to be limiting bandwidth with files that are hotlinked from other sites. So now I have had to host those files on Google Drive. However, embedding files from GDrive includes a the page preview pane.

Here's how to turn the Google Doc Viewer page preview pane off.

Here's a sample URL of a file hosted on Google Drive, named metadata.pdf (see above image)

from this standard Google Drive URL

Cut and paste into this Google Document Viewer URL

then place the
<iframe>:

&pid=explorer&efh=false&a=v&chrome=false&embedded=true" width="640px" height="480px"></iframe>

See example on my Solutions Tab

Sunday, May 18, 2014

Using AccessEnum to hunt down unknown file SIDs - User read/write with ???

AccessEnum is a Windows SysInternals tool that reliably list SIDs and user accounts on Windows 7,8+

"While the flexible security model employed by Windows NT-based systems allows full control over security and file permissions, managing permissions so that users have appropriate access to files, directories and Registry keys can be difficult. There's no built-in way to quickly view user accesses to a tree of directories or keys. AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary." Download AccessEnum

Dowload and run AccessEnum with elevated priveledes and you typically see some positive results:

 click large When I ran AccessEnum on C:\ (root), it revealed some questionable ??? read / write users.

 click large
Right-click on the highlighted file reveals;

 click large

the Current Owner: Unable to display current owner. I tried the running icacls in a windows cmd prompt;

PS C:\>ICACLS "C:\windows\winsxs\temp\pendingrenames\01b8c129d167cf01b5070000ec288829.install.ins" /reset /T /C


and it returned Access is denied.

 click large

Solution - Just drop all current owner and re-create the owners.

 click large

Right click, choose Security Tab, Choose Continue which pop-ups another window in which you can Add a good known account, mainly you.

One I did this I could see the file contents of *.install.ins

 click large
This file seems innocuous enough, but I am satisfied that I know who controls it now and its not a hacked account.

Now running both of these script worked to reset the the ACL on this file

Windows CMD (Elevated) Script - Download Raw - See Original at wastebin.com - UI upgrade by :)
1. ICACLS "C:\path\to\folder\filename.extension" /reset /T /C

Running this script add back inheritance to ACL for that directory.

Windows CMD (Elevated) Script - Download Raw - See Original at wastebin.com - UI upgrade by :)
1. ICACLS "C:\path\to\folder\filename.extension" /inheritance:e /T /C

The result is if you right click on the file you get the correct ACL Group and User Names.
Note: This file name is incorrect the above got deleted but this has same ACL.
 click large

Friday, May 9, 2014

How to determine the Windows Master File Table (MFT) Size

In my series of articles related to Windows Master File Table (MFT),  let's understand how to get this size of MFT on you disk.

The common approach is to issue the following command

fsutil fsinfo ntfsinfo C:

This yields, and we can see the field label MFT Valid Data Length, but for busy administrators this hex value is takes to much time to deal with.

Luckily for the excellent team at Sysinternals produced a tool to get around these hexadecimal numbers.

NTFSInfo is a little applet that shows you information about NTFS volumes. Its dump includes the size of a drive's allocation units, where key NTFS files are located, and the sizes of the NTFS metadata files on the volume. This information is typically of little more than curiosity value, but NTFSInfo does show some interesting things. For example, you've probably heard about the NTFS equivalent of the FAT file system's File Allocation Table. Its called the Master File Table (MFT), and it is made up of constant sized records that describe the location of all the files and directories on the drive. What's surprising about the MFT is that it is managed as a file, just like any other.

Download NTFSInfo, save in C:\windows\system32 path, so you can run it from the command line as Administrator

ntfsinfo C:

This yields

From here we can see this drive has a MFT Size of 160 MB out of out of 129.6 Gb, leaving
126.99 Gb of space that can be used. Roughly 0.1 % of the drive space after it has been formated.

The actual disk size can be found running MSINFO32 (Start->Run->msinfo32).

So this disk, after formatting has lost 350Mb for partitioning (reserved disk) and 2*160Mb for NTFS MFT overhead for a total of 670Mb or ~ .7Gb out of 126.99 Gb disk or 130Gb advertised space.

Search my other posts on this and a tool I created for this.

Understanding Windows Master File Table (MFT) Allocation and Fragmentation

Well when you format a new hard drive (or it's pre-formatted) you are instructing your operating system you want to organize that disk using a specific format like Fat, Fat32, and New Technology File System (NTFS) which is the default disk format for Windows 8.1, Server 2012.

 NTFS Architecture

But first, before you can format the disk you have to partition it. A partition contains a volume which can be formatted. Partition arouse to meet the requirement to split the a physical disk into many logical disk with other formats on them.

A partition contains a Master Boot Record (MBR) and holds the information on how the logical partitions, containing file systems, are organized on that medium.

Sector zero will house the Master Boot Record (MBR), which contains the partition table.  The partition table will tell us where the partition will start and how big it is.  Once the partition is formatted a volume is created.  The volume starts at the first boot sector and ends at the last boot sector (aka backup boot sector). Now you can format the volume, in this case NTFS.

GUID Partition Table GPT Style

Instead of having a four line partition table, there is a 32 sector partition array.  This allows us to have more partitions as well as much larger partitions.  Also, there is a backup Partition Array out at the end of the drive.  This gives us partition information redundancy that MBR disks just don’t have.
The MS Reserved Partition marks off an area of the disk for Windows to use to store metadata that is not part of the file system.  Previously this metadata was stored in unprotected regions of the disk.
The volume is just like it was before.  It starts at the first boot sector and ends at the last.
Keep in mind that in using GPT we are just changing how we define the box, not the contents of the box. Assuming that you are using NTFS, the file system is the same in both examples.  I can’t stress this enough.  There is no difference in NTFS between MBR and GPT.  In fact if you create a GPT disk smaller than 2 TB in size, a clever person could change the box with a sector editor, turn it into an MBR disk, and never alter the volume itself.  NTFS is blissfully unaware of what type box it lives in.
See GPT Dynamic here.

The Master File Table (MFT) executive private area responsible for organizing all you files on the disk, so they are accessed quickly and reliably on the disk.Sort of a database for files, which are stored in chunks called unit allocation size. This master "database" is called Master File Table (MFT).

That structure has a cost to it.

NTFS MFT Reservation ~ 12.5%

For NTFS, a slice of the HD that contains all file records i
s a called Master File Table (MFT).
index and log files, that keep track of file changes on the disk, and is know as journaling file system. NTFS uses \$LogFile to record metadata changes to the volume is is part of a whole slew of hidden NTFS meta-files.

By default NTFS reserves this zone, at 12.5%.

Please see for full details, but states "NTFS reserves 12.5 percent of the volume for exclusive use of the MFT until and unless the remainder of the volume is completely used up."

However, when, for example, a lot of files are placed to the drive, MFT can grow beyond the reserved zone and becomes fragmented.

Another reason is when you delete file, NTFS does not always use its space in MFT to store new one, it just marks MFT entry as deleted and allocates new entry for the new file. It provides some performance and recovery benefits, however it forces MFT to be fragmented.

The more MFT fragmentation, the more the HDD heads movements to access the data, the less overall performance of file system. A great article "
The Four Stages of NTFS File Growth" details this in great detail ;)

Starting from Windows NT 4.0 SP4 you can define MFT Zone Reservation value through the Registry.

Registry Key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

Value NtfsMftZoneReservation of DWORD type (1 to 4)

allows you to specify MFT Zone for the newly created/formatted volumes(12.5 percent, 25 percent, 37.5 percent, 50 percent of NTFS volume accordingly).

For futher read  see Optimizing NTFS

Master File Table De-Fragmentation

Master File Table contains frequently used system files and indexes that manages files on your NTFS volume, so performance of MFT affects a lot to the entire volume performance if fragmented.

So how can you tell if you're
MFT is fragmented ?

Wisely, Windows Sysinternals a suite of tools written and purchased from  by Mark Russinovich and Bryce Cogswell has a solution.

Contig v1.7 is a free disk defragger, that can defragment these hidden NTFS meta-files.

There are many defrag tools on the market, but they end-up making the MFT even more fragmented so this is the tool, period! Use it.

You can get it at http://technet.microsoft.com/en-us/sysinternals/bb897428.aspx

Thursday, May 8, 2014

Why you have ~10% less Hard Drive/USB space than the advertised space on the package?

Why do you have less hard drive / USB drive size in Windows than advertised?

Let's examine this, I recently purchase a USB stick that can hold advertised space of 32Gb of data.

When I plugged in this USB drive and went to format this drive in Windows, I only get a reported maximum capacity of only 29.7G of space?

This is an apparent loss of 32-29.7 = 2.3 Gigs of space! Or 6.7% of space gone.
What happened? Where did that extra space go, I didn't do anything yet.

Lets take an in-depth look into the drive info to find out. A cleaver way to do this is to use the MSINFO32.exe (Start->Run->type msinfo32) to run. Goto Components > Storage > Disks and scroll down to the General USB Disk.

 click for larger

Here we see in the reported Size is 29.71Gb or (31,905,861,120 bytes) for the USB Drive.

Advertisers are the total bytes number and treating it a normal decimal number.
By their math, dividing by 1000 to get shift of 3 places, results in this

31,905,861,120 bytes =
31,905,861 Kb = 31,905 Mb = ~ 32Gb ADVERTISED

But this is wrong. Bytes is NOT a decimal number.

How many bits in byte?  Well, there are 8 bits in a byte. Each bit can either 1 or 0. A bit is called binary number. Binary is base 2, whereas decimal is base 10 because it has 10 digits {0,1,2,3,4,5,6,7,8,9}.

So to move a number by 3 places place in binary we have to divide by 1024, which is a standard agreed by International Electrotechnical Commission.

Let's do the right math, we divide by 1024 to get shift of 3 places.

31,905,861,120 bytes = 31,158,067.5 Kb = 30,427.8 Mb = 29.71Gb ACTUAL

Windows correctly reports the size of the hard disk/USB Flash Disk drive.

Advertisers are reporting the wrong HD/USB space. Advertiser are wrong math to when calculation Gigabyte sizes.

So you are are loosing 2.2 Gb ~ 6.7% of space on this 32Gig HD out of the box!

This chart summarizes the amount of lost data because of bad math.

 click for larger

As we can see Windows reports the actual HD/USB space correctly, and advertisers are ripping you off.
A class action lawsuit was settle by Western Digital in 2006 over HD size, that's how old this issue is and marketer's are still doing it! Sue my friends, sue.

Here's a logarithmically scaled version from Wikipedia.

 click for larger

Registry settings for a IE Toolbar / Taskbar Toolbar aka "Band Objects" to appear

If you are developing  IE Toolbar or Windows Taskbar Toolbar aka Deskband a category of a Band Object or BHO, then you'll have referenced the quintessential article by Extending Explorer with Band Objects using .NET and Windows Forms by By Pavel Zolnikov, 29 Apr 2002.

In searching for answer for this answer, I wondered were Pavel get his information from? Well, it's always wise to go to the source material about this topic.

One of the first article about Band Object "IE Toolbar" was published in the Microsoft System Journal Magazine, entitled "MyBand is Your Band: More Reusable MFC Goodies with Band Objects and COMToys", Paul DiLascia, November 1999, source code still available.

Way before Codeproject and forms in general, hungry developers awaited issues of Microsoft System Journal Magazine. You think 2002 (12yrs ago) is old, the original article published on this topic was in 1999 (15yrs ago) and still relevant and has great detail because COM will live forever:)

 Registering MyBands Technically I still haven't even told you exactly what a band object is yet, but never mind—it's time to discuss registration. In COM, you can't even blow your nose without registering. Here are the registry entries for the Web Search Band:
  HKEY_CLASSES_ROOT CLSID {4647E383-520B-11d2-A0D0-004033D0645D} = "&Web Search Band" InprocServer32 = MyBands.dll ThreadingModel=Apartment Implemented Categories {00021492-0000-0000-C000-000000000046}
 CLSID, InprocServer32, ThreadingModel— it's all COM 101. The only thing that's new for bands is the previously mentioned category ID, which goes under the key Implemented Categories. In general, a COM object declares to the world what categories it implements by listing them under HKCR\CLSID\guid\Implemented Categories.Of course, you don't register a COM object by hand—COM objects are expected to register themselves. When you type
  regsvr32.exe MyBands.dll
 regsvr32 calls the special entry DllRegisterServer to register MyBands. If you add /u before the file name, it calls DllUnregisterServer. BandObj.cpp provides default implementations for these standard entries as well as the others, DllGetClassObject and DllCanUnloadNow. The default implementations call special MFC functions designed to do the right thing.MY TIP: Use correct Regsvr32 and gacutil.exe, either 32-bit version or 64-bit version!!!!Source, and great in-depth article on band objectshttps://www.microsoft.com/msj/1199/bandobj/bandobj.aspx

Additionally, this article tackles this - Issues faced while extending IE with Band Objects using .NET and Windows Forms

Tuesday, May 6, 2014

Critical Error: Event ID 27; Event Source Volsnap; Windows 7 : The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time.

If you are getting Critical Error with Event ID: 27; Event Source: Volsnap;  in the event log with following pop-up

with either explanation;

1. The shadow copies of volume C: were aborted during detection because a critical control file could not be opened.
2. The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time.  Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.

So here's some information to find information for this event id, particularly running on Windows x64 7, 8, 8.1 systems.

Root Cause Analysis

1. Windows 7 includes a feature to automatically save computer's system files and settings as versions and is called System Protection

Windows 8, 8.1
in addition to System Protection, the feature has been extended to included versioning user's files and documents and is called
File History. An excellent article from Windows Engineering Team about File History can be found here and how to enable it.

Both of these services use Volume Shadow "Copy" Service (VSS), which can generate Volsnap errors, with the same message as in the table below.
In Win 7/8+, System Protection Tab of System Properties window, available in Control Panel icon named System.

So check if you System Protection/File History is Enabled and has enough space to function.

2. Allot of these errors seem to be related to Virtual machines lockup or freeze when performing a backup of the Hyper-V host and virtual machines using Windows Server Backup. So on this Windows 7 or Windows 8 this could be using Virtual PC or VMWare.

This is usually caused by a VM that has shadow storage for a data partition on a partition that is not local (i.e.  the shadow storage for d: is on c:).  Since Hyper-V reverts one VHD at a time, this can cause volsnap to abort snapshot discovery.  If the affected partition isn't part of the system state, then the Hyper-V writer will ignore the error.

The 3rd party backup is probably including a different subset of the child partitions. The issue may with third party backup software.

Please verified all the settings for the Hyper-v host to backup running VM's and initiated the backup using Windows Server Backup, then to see whether the same issue still exists.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/2a434be6-9b61-4f7d-a74b-b7707d30c655/server-backup-errors-on-hyperv-r2?forum=windowsbackup

3. Another major cause for this error is SQL Server which uses VSS.

i.  VSS errors for SQL Server cause failing backups here.

ii. Time-out errors occur in Volume Shadow Copy service writers here.

4. Checking errors of the Volume Shadow Copy from command line, use the following

Vssadmin List ShadowStorage Lists the volume shadow storage space currently in use, the space that is reserved for future use (labeled as allocated), and the maximum space that might be dedicated. This space is used to store changes while a shadow copy is active. The following sample output was generated using a computer that currently had about 3GB of files stored in a shadow copy, but that might allocate as much as 6.4GB.

See how to Manage Volume Shadow Copy Service from CMD line here.

5. Sometimes this error is paired with another VolSnap error, since it Event ID 27, is blocking VSS functions, other errors are likely to occur for VSS operations.

> Check the event log to see if you can find another Event ID with VolSnap and check the below table for a match. In the image above, it
Event ID 25 which has an entry in the below table of the Diff Area Integrity Event Errors.
Microsoft has laid out event id errors in a very large tree see
hereNote: The title are linked to parts of the Events and Errors hierarchy for event log.

Files Services - Shadow Copies of Shared Folders - Diff Area Integrityhttp://technet.microsoft.com/en-us/library/dd364947(v=ws.10).aspx

Applies To: Windows Server 2008,  but matches Windows 7, Windows 8+ errors

The Diff Area is the storage space that Shadow Copies of Shared Folders allocates on a volume for maintaining the snapshots of the contents of shared folders. A snapshot is a block-level set of information that represents the differences between the current content and content from a previous point in time. The integrity of existing and new snapshots depends on the integrity of the Diff Area.

Events

Event IDSourceMessage
VolSnap
The shadow copy of volume %2 could not create a diff area file on volume %3
VolSnap
The shadow copy of volume %2 could not be created because volume %3, which is specified as part of the diff area, is not an NTFS volume or an error was encountered while trying to determine the file system type of this volume.
VolSnap
The shadow copy of volume %2 could not lock down the location of the diff area file on volume %3.
VolSnap
The shadow copies of volume %2 were aborted because of an IO failure on volume %3.
VolSnap
The shadow copies of volume %2 were aborted because volume %3, which contains a diff area file for this shadow copy, was force dismounted
VolSnap
There was insufficient disk space on volume %3 to create the shadow copy of volume %2.  Diff area file creation failed.
VolSnap
There was insufficient disk space on volume %3 to grow the diff area for shadow copies of %2.  As a result of this failure all shadow copies of volume %2 are at risk of being deleted.
VolSnap
The shadow copies of volume %2 were aborted because the diff area file could not grow in time.  Consider reducing the IO load on this system to avoid this problem in the future.
VolSnap
The oldest shadow copy of volume %2 was deleted to keep disk space usage for shadow copies of volume %2 below the user defined limit.
VolSnap
The shadow copies of volume %2 were aborted because the diff area file failed to grow.
VolSnap
The shadow copies of volume %2 were aborted because the diff area file could not grow due to a user imposed limit.
VolSnap
There was a user imposed limit that prevented disk space on volume %3 from being used to grow the diff area for shadow copies of %2.  As a result of this failure all shadow copies of volume %2 are at risk of being deleted.
VolSnap
The shadow copies of volume %2 were aborted because volume %3 has been dismounted.
VolSnap
When preparing a new volume shadow copy for volume %2, the shadow copy storage on volume %3 did not have sufficiently large contiguous blocks.  Consider deleting unnecessary files on the shadow copy storage volume or use a different shadow copy storage volume

I did find Event ID 27, but source is VSS and VolSnap and therefore message does not apply.

But the category "Volume Shadow Copy Service Operations
" seems like a likely place for the
"The shadow copies of volume C: were aborted during detection because a critical control file could not be opened." error.

Files Services - Volume Shadow Copy Service - Volume Shadow Copy Service Operationshttp://technet.microsoft.com/en-us/library/cc734545(v=ws.10).aspx

The Volume Shadow Copy Service (VSS) provides the ability to create a point in time image (shadow copy) of one or more volumes that can be used to perform backups. The service is also used during restores of applications.

Events

Event IDSourceMessage
VSS
Volume Shadow Copy Service information: The COM Server with CLSID %1 and name %2 cannot be started. [%3] %4
VSS
The user name %1 specified in registry (%2) does not map to a real user name. The entry is ignored. It must have a valid username as name, be of type REG_DWORD, and value either '0' or '1'. %3
VSS
The value with name %1 specified in registry (%2) is not of type REG_DWORD. The entry is ignored. It must have a valid username as name, be of type REG_DWORD, and value either '0' or '1'. Value '0' denies the username from running any VSS writer. Value '1' is used to allow it. %3
VSS
The value with name %1 specified in registry (%2) of value (%3) cannot be interpreted. The entry is ignored. It must have a valid username as name, be of type REG_DWORD, and value either '0' or '1'. Value '0' denies the username from running any VSS writer. Value '1' is used to allow it. %4
VSS
Volume Shadow Copy Service error: The EventSystem service is disabled or is attempting to start during Safe Mode. The Volume Shadow Copy service cannot start while in safe mode. If not in safe mode, make sure that EventSystem service is enabled. CLSID:%1 Name:%2 [%3] %4
VSS
Volume Shadow Copy Service error: The Volume Shadow Copy infrastructure cannot be used during Safe Mode. %1
VSS
Volume Shadow Copy Service error: Writers will not receive events since the COM+ database is corrupted. This might happened if an error occurred during Windows setup. The error returned from CoCreateInstance on class with CLSID %1 and Name %2 is [%3] %4
VSS
Volume Shadow Copy Service error: Either the COM+ Event System service (EventSystem) or the COM+ System Application service (COMSysApp) is disabled. Please enable the service and try again. %1
VSS
Volume Shadow Copy Service error: The Volume Shadow Copy service (VSS) is disabled. Please enable the service and try again. %1
VSS
Volume Shadow Copy Service error: The Microsoft Software Shadow Copy Provider (SWPRV) service is disabled. Please enable the service and try again. %1
VSS
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = %1. This is often caused by incorrect security settings in either the writer or requestor process. %2
VSS
Volume Shadow Copy Service error: Writer with name %1 and ID %2 attempted to subscribe in safe mode. %3
VSS
Volume Shadow Copy Service error: The process that hosts the writer with name %1 and ID %2 does not run under a user with sufficient access rights. Consider running this process under a local account which is either Local System, Administrator, Network Service, or Local Service. %3
VSS
The VSS service is shutting down due to idle timeout. %1
VSS
The VSS service is shutting down due to shutdown event from the Service Control Manager. %1
VSS
Volume Shadow Copy Service error: Error on creating/using the COM+ Writers publisher interface: %1 [%2]. %3
VSS
Volume Shadow Copy Service error: Error calling a routine on a Shadow Copy Provider %1. Routine details %2 [hr = %3]. %4
VSS
Volume Shadow Copy Service error: The system may be low on resources. Unexpected error at background thread creation (_beginthreadex returns %1, errno=%2).
VSS
Volume Shadow Copy Service error: The I/O writes cannot be flushed during the shadow copy creation period on volume %1. The volume index in the shadow copy set is %2. Error details: Open[%3], Flush[%4], Release[%5], OnRun[%6].
VSS
Volume Shadow Copy Service error: The I/O writes cannot be held during the shadow copy creation period on volume %1. The volume index in the shadow copy set is %2. Error details: Open[%3], Flush[%4], Release[%5], OnRun[%6].
VSS
Volume Shadow Copy Service error: Writer %1 did not respond to a GatherWriterStatus call.
VSS
Volume Shadow Copy Service error: An internal inconsistency was detected in trying to contact shadow copy service writers. Please check to see that the Event Service and Volume Shadow Copy Service are operating properly. %1
VSS